Attack traffic may include denial of service (DoS) attacks, port scans and network probes to detect and exploit system vulnerabilities, protocol-based attacks on intermediary routing systems, etc. DoS attack traffic may be characterized by explicit attempts of attackers to prevent legitimate users from using a service. Host or application-level attacks are a concern for many service providers as well as end-site customers. In general, each of these DoS attack vectors continues to be a major threat facing end sites. As service providers develop value added revenue sources based on Internet protocol (IP) application services, the open nature of the IP infrastructure may put those revenue sources at risk. Availability means that the service is accessible when desired. Excessive traffic and resource depletion attacks may use either forged or spoofed source addresses or compromised hosts (e.g., botnets). These mechanisms increase the difficulty in tracing an attack back to the initiator of the attack. Routing protocol-based attacks can be used to compromise legitimate routing and forwarding.
Current network security systems utilize traffic scrubbing, blackhole routing, sinkhole routing, intrusion detection systems, and backscatter traceback techniques to address attack traffic. For example, current network security systems divert attack traffic to a traffic scrubbing device or a set of distributed or centralized traffic scrubbing devices. The traffic scrubbing device forwards valid or legitimate traffic to its destination, and discards the attack traffic. In blackhole routing, a network administrator identifies a host under attack, and null routes (or discards) all traffic destined for the host, whether legitimate or illegitimate. A sinkhole is part of a network that advertises certain ranges on IP addresses and attracts traffic destined for those ranges so that it can be analyzed. Backscatter traceback is primarily useful for spoofed attacks where the attackers use source addresses from the IP address space. The replies to the spoofed addresses are analyzed in aggregate by a central administration to detect and characterize spoofed attacks.
However, current network security systems route attack traffic through an open network so that the attack traffic may be analyzed. This may permit the attack traffic to be detected and utilized by the attackers. Furthermore, most centralized network security systems do not permit attack traffic to be processed (e.g., analyzed, scrubbed, etc.) and forwarded to its destination address. For example, blackhole routing mechanisms discard the attack traffic, and sinkhole routing mechanisms only analyze the attack traffic before discarding it. Traffic scrubbing primarily relies on costly devices deployed in-line to every potential attack vector to enable the “clean” portion of traffic to be forwarded to its destination. Other solutions to this in-line approach would entail exposing the fact that the traffic is diverted and inconveniencing the customer.